add 6.1.12

This commit is contained in:
firmianay 2018-03-16 21:04:38 +08:00
parent bce95a5b08
commit 69b85812eb
9 changed files with 225 additions and 2 deletions

View File

@ -118,6 +118,7 @@ GitHub 地址https://github.com/firmianay/CTF-All-In-One
* [6.1.9 pwn RHme3 Exploitation](doc/6.1.9_rhme3_exploitation.md) * [6.1.9 pwn RHme3 Exploitation](doc/6.1.9_rhme3_exploitation.md)
* [6.1.10 pwn 0CTF2017 BabyHeap2017](doc/6.1.10_0ctf2017_babyheap2017.md) * [6.1.10 pwn 0CTF2017 BabyHeap2017](doc/6.1.10_0ctf2017_babyheap2017.md)
* [6.1.11 pwn 9447CTF2015 Search-Engine](doc/6.1.11_9447ctf2015_search_engine.md) * [6.1.11 pwn 9447CTF2015 Search-Engine](doc/6.1.11_9447ctf2015_search_engine.md)
* [6.1.12 pwn N1CTF2018 vote](doc/6.1.12_n1ctf2018_vote.md)
* re * re
* [6.2.1 re XHPCTF2017 dont_panic](doc/6.2.1_re_xhpctf2017_dont_panic.md) * [6.2.1 re XHPCTF2017 dont_panic](doc/6.2.1_re_xhpctf2017_dont_panic.md)
* [6.2.2 re ECTF2016 tayy](doc/6.2.2_re_ectf2016_tayy.md) * [6.2.2 re ECTF2016 tayy](doc/6.2.2_re_ectf2016_tayy.md)

View File

@ -0,0 +1,42 @@
# 6.1.12 pwn N1CTF2018 vote
- [题目复现](#题目复现)
- [题目解析](#题目解析)
- [参考资料](#参考资料)
[下载文件](../src/writeup/6.1.12_n1ctf2018_vote)
## 题目复现
这个题目给了二进制文件和 libc
```
$ file vote
vote: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=53266adcfdcb7b21a01e9f2a1cb0396b818bfba3, stripped
$ checksec -f vote
RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE
Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH Yes 0 4 vote
```
看起来就是个堆利用的问题:
```
$ ./vote
0: Create
1: Show
2: Vote
3: Result
4: Cancel
5: Exit
Action:
```
然后就可以把它运行起来了:
```
$ socat tcp4-listen:10001,reuseaddr,fork exec:"env LD_PRELOAD=./libc-2.23.so ./vote" &
```
## 题目解析
#### Exploit
## 参考资料
https://ctftime.org/task/5490

View File

@ -2,6 +2,7 @@
- [题目解析](#题目解析) - [题目解析](#题目解析)
- [Exploit](#exploit) - [Exploit](#exploit)
- [参考资料](#参考资料)
[下载文件](../src/writeup/6.1.5_pwn_grehackctf2017_beerfighter) [下载文件](../src/writeup/6.1.5_pwn_grehackctf2017_beerfighter)
@ -182,3 +183,7 @@ payload_2 += str(frame_2)
io.sendline(payload_2) io.sendline(payload_2)
io.interactive() io.interactive()
``` ```
## 参考资料
https://ctftime.org/task/4939

View File

@ -970,4 +970,4 @@ p.interactive()
## 参考资料 ## 参考资料
- [Exploitation](https://ctftime.org/task/4528) https://ctftime.org/task/4528

View File

@ -4,7 +4,7 @@
- [参考资料](#参考资料) - [参考资料](#参考资料)
章节 4.5 中讲解了 Z3 约束求解器的基本使用方法,通过这一题,我们可以更进一步地熟悉它。 章节 5.8.1 中讲解了 Z3 约束求解器的基本使用方法,通过这一题,我们可以更进一步地熟悉它。
[下载文件](../src/writeup/6.2.2_re_ectf2016_tayy) [下载文件](../src/writeup/6.2.2_re_ectf2016_tayy)

View File

@ -12,6 +12,7 @@
- [6.1.9 pwn RHme3 Exploitation](6.1.9_rhme3_exploitation.md) - [6.1.9 pwn RHme3 Exploitation](6.1.9_rhme3_exploitation.md)
- [6.1.10 pwn 0CTF2017 BabyHeap2017](6.1.10_0ctf2017_babyheap2017.md) - [6.1.10 pwn 0CTF2017 BabyHeap2017](6.1.10_0ctf2017_babyheap2017.md)
- [6.1.11 pwn 9447CTF2015 Search-Engine](6.1.11_9447ctf2015_search_engine.md) - [6.1.11 pwn 9447CTF2015 Search-Engine](6.1.11_9447ctf2015_search_engine.md)
- [6.1.12 pwn N1CTF2018 vote](6.1.12_n1ctf2018_vote.md)
- re - re
- [6.2.1 re XHPCTF2017 dont_panic](6.2.1_re_xhpctf2017_dont_panic.md) - [6.2.1 re XHPCTF2017 dont_panic](6.2.1_re_xhpctf2017_dont_panic.md)
- [6.2.2 re ECTF2016 tayy](6.2.2_re_ectf2016_tayy.md) - [6.2.2 re ECTF2016 tayy](6.2.2_re_ectf2016_tayy.md)

View File

@ -0,0 +1 @@
socat tcp4-listen:10001,reuseaddr,fork exec:"env LD_PRELOAD=./libc-2.23.so ./vote" &

Binary file not shown.

View File

@ -0,0 +1,173 @@
#include <stdio.h>
#include <time.h>
#include <stdlib.h>
#include <stdint.h>
#include <string.h>
#include <unistd.h>
#include <pthread.h>
#define MAX 0x10
char *users[MAX];
long counts[MAX];
int vote_num;
void read_until_nl_or_max(char *dst, size_t len) {
size_t i = 0;
for (;;) {
if (read(0, &dst[i], 1) == -1)
exit(1);
if (dst[i] == '\n') {
dst[i] = '\0';
return;
}
i++;
if (i >= len) {
dst[i - 1] = '\0';
return;
}
}
}
void puts_heapless(char *str) {
write(1, str, strlen(str));
write(1, "\n", 1);
fflush(stdout);
}
void print(char *str) {
write(1, str, strlen(str));
fflush(stdout);
}
int read_int() {
char tmp[8];
memset(tmp, 0, 8);
read_until_nl_or_max(tmp, 8);
return atoi(tmp);
}
void *vote_thread(void *arg) {
sleep(3);
++(counts[vote_num]);
return NULL;
}
void create() {
int size;
char *user;
int i;
for (i = 0; i < MAX; i++) {
if (users[i] == NULL) {
print("Please enter the name's size: ");
size = read_int();
if (size > 0 && size <= 0x1000) {
user = (char *)malloc(size + 0x10);
*(long *)(user) = 0;
*(long *)(&user[8]) = time(NULL);
print("Please enter the name: ");
read_until_nl_or_max(&user[16], size);
users[i] = user;
}
return;
}
}
}
void show() {
int index;
char tmp[266];
memset(tmp, 0, 266);
print("Please enter the index: ");
index = read_int();
if (index >= 0 && index < MAX && users[index] != NULL) {
snprintf(tmp, 256, "name: %s\ncount: %lu\ntime: %lu", &users[index][16], *(long *)(users[index]), *(long *)(&users[index][8]));
puts_heapless(tmp);
}
}
void vote() {
int index;
pthread_t id;
print("Please enter the index: ");
index = read_int();
if (index >= 0 && index < MAX && users[index] != NULL) {
++(*(long *)(users[index]));
*(long *)(&users[index][8]) = time(NULL);
vote_num = index;
pthread_create(&id, NULL, &vote_thread, NULL);
}
}
void result() {
int i;
char tmp[266];
memset(tmp, 0, 266);
for (i = 0; i < MAX; i++) {
if (counts[i] != 0) {
snprintf(tmp, 256, "%d\t->\t%lu", i, counts[i]);
puts_heapless(tmp);
fflush(stdout);
}
}
}
void cancel() {
int index;
print("Please enter the index: ");
index = read_int();
if (index >= 0 && index < MAX && users[index] != NULL) {
--(counts[index]);
--(*(long *)(users[index]));
if (counts[index] == *(long *)(users[index])) {
if (counts[index] < 0) {
free(users[index]);
}
return;
}
if (counts[index] < 0) {
printf("%s", &users[vote_num][16]);
fflush(stdout);
puts_heapless(" has freed");
free(users[index]);
users[index] = 0;
}
}
}
int main(void) {
setvbuf(stdin, NULL, _IONBF, 0);
int c;
alarm(30);
for (;;) {
puts_heapless("0: Create");
puts_heapless("1: Show");
puts_heapless("2: Vote");
puts_heapless("3: Result");
puts_heapless("4: Cancel");
puts_heapless("5: Exit");
print("Action: ");
if (scanf("%d", &c) == EOF)
exit(1);
if (c == 0) {
create();
}
if (c == 1) {
show();
}
if (c == 2) {
vote();
}
if (c == 3) {
result();
}
if (c == 4) {
cancel();
}
if (c == 5) {
puts_heapless("Bye");
exit(0);
}
}
return 0;
}